Wednesday, January 31, 2007

Goodbye Applet, Hello NAT'ed IP Address

To perform some Intranet Hacking we need the web browser's internal NAT'ed IP Address (ie: 192.168.xxx.xxx). While not the most elegant solution, Java Applets (MyAddress) are the only real way to go. It turns out JavaScript can invoke Java classes directly (Firefox), including java.net.Socket, and can achieve same results. No Applet required making the proof-of-concept code a lot easier.

Hi Jeremiah, I've been talking with a few people, isn't it a good idea to build a sort of repository or Wiki with such snippets for reference? I heard RSnake had some plans for such a thing, but nothing really real yet. Anyway, one would never miss such things. and it would be easier to go to such site instead of scavaging blogs for examples.

1) Little typo in the red text on your latest article "Please met know if anyone knows a way to invoke Java classes from JavaScript in Internet Explorer."

This kind of thing happens to me all the time, when your fingers get ahead of your brain. "let me" becomes "met" ;)

2) As requested this page has a solution for IE (though it requires ActiveX and JavaScript).Check this page:http://www.devarticles.com/c/a/JavaScript/Advanced-JavaScript-with-Internet-Explorer-Retrieving-Networking-Configuration-Information/

Enough all by itself? Just to make sure it wasn't because the socket code had already loaded I restarted my browser. But it looks like that's all you need to do to get the internal IP, right? I probably shouldn't be trying to do this at 2am, I'll likely regret it. ;-)

Why does it take more effort? That method appears to work just fine for me right now on my Mac running FF 2.0.2 without doing all the socket setup. Is there some advantage to making the actual socket call that I don't get? Some reason why it doesn't work on some platforms?

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!